hi guys,
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
thoughts ?
- KB
On 07/21/2011 05:03 PM, Karanbir Singh wrote:
hi guys,
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
thoughts ?
announce the packages when they are pushed to the repo. include the explicit mention that they are ONLY there and that they will disappear when relocated to os / updates.
Hi,
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
the clean solution would be to divide those notifications into channels as well, although that would mean re-announcing packages as they move between channels.
On Thu, Jul 21, 2011 at 10:03 AM, Karanbir Singh mail-lists@karan.org wrote:
hi guys,
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ?
What would be the feasibility of creating a CR-5 and CR-6 "topic" to the announce list? You could push the announcements to the new topics when they go to the CR, then a separate announcement to the regular topics for everyone that isn't using the CR repos.
On 07/21/2011 05:19 PM, William Hooper wrote:
On Thu, Jul 21, 2011 at 10:03 AM, Karanbir Singhmail-lists@karan.org wrote:
hi guys,
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ?
What would be the feasibility of creating a CR-5 and CR-6 "topic" to the announce list? You could push the announcements to the new topics when they go to the CR, then a separate announcement to the regular topics for everyone that isn't using the CR repos.
This is the approach that I'd like most.
Karanbir Singh wrote:
hi guys,
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
thoughts ?
Using CentOS 6.1 as an example, will the packages be announced again once 6.1 is released? I'm assuming they would, as that would indicate the updates are available from the regular updates repository. In that case, you'd have 2 announcements for each update: one for the CR release, and another for the "regular" release.
How about an "centos-announce-cr" mailing list for those who want to be notified of CR updates?
-Greg
On 21 July 2011 15:03, Karanbir Singh mail-lists@karan.org wrote:
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
My feeling is that an announcement should only be made when the packages are finally available from either the os/ or updates/ repositories. Those of us who feel so inclined to use packages from the proposed cr/ repo. will have the technical expertise to evaluate the repository's contents on a daily basis (or any other frequency so desired).
Alan.
On 7/21/2011 9:47 AM, Alan Bartlett wrote:
On 21 July 2011 15:03, Karanbir Singhmail-lists@karan.org wrote:
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
My feeling is that an announcement should only be made when the packages are finally available from either the os/ or updates/ repositories. Those of us who feel so inclined to use packages from the proposed cr/ repo. will have the technical expertise to evaluate the repository's contents on a daily basis (or any other frequency so desired).
The important thing to know is when published CVE's are fixed upstream so you can judge how important the vulnerability is to your system's exposure and how soon you have to do something about it. Whether that involves the CR repos or something else, it is a CentOS-specific risk we are all taking.
On 21 July 2011 16:05, Les Mikesell lesmikesell@gmail.com wrote:
The important thing to know is when published CVE's are fixed upstream
Sorry Les but you are going OT. With regard to what you have just said, we all have the ability to monitor what the "Upstream Vendor" does.
Alan.
On 7/21/2011 10:19 AM, Alan Bartlett wrote:
On 21 July 2011 16:05, Les Mikeselllesmikesell@gmail.com wrote:
The important thing to know is when published CVE's are fixed upstream
Sorry Les but you are going OT. With regard to what you have just said, we all have the ability to monitor what the "Upstream Vendor" does.
And I'm sorry that you think that well-known but unpatched vulnerabilities in the software published as CentOS is OT. What the upstream vendor has said about it isn't the relevant point. What is relevant is that CentOS has shipped the vulnerabilities; a lot of other people know about them, and the CentOS users deserve to know as well, especially when the fix is hidden in the CR repo.
On 21 July 2011 16:41, Les Mikesell lesmikesell@gmail.com wrote:
On 7/21/2011 10:19 AM, Alan Bartlett wrote:
On 21 July 2011 16:05, Les Mikeselllesmikesell@gmail.com wrote:
The important thing to know is when published CVE's are fixed upstream
Sorry Les but you are going OT. With regard to what you have just said, we all have the ability to monitor what the "Upstream Vendor" does.
And I'm sorry that you think that well-known but unpatched vulnerabilities in the software published as CentOS is OT. What the upstream vendor has said about it isn't the relevant point. What is relevant is that CentOS has shipped the vulnerabilities; a lot of other people know about them, and the CentOS users deserve to know as well, especially when the fix is hidden in the CR repo.
Riding on your hobby-horse, once again.
See KB's opening post to this thread. That sets the topic.
Alan.
On 7/21/2011 10:57 AM, Alan Bartlett wrote:
On 21 July 2011 16:41, Les Mikeselllesmikesell@gmail.com wrote:
On 7/21/2011 10:19 AM, Alan Bartlett wrote:
On 21 July 2011 16:05, Les Mikeselllesmikesell@gmail.com wrote:
The important thing to know is when published CVE's are fixed upstream
Sorry Les but you are going OT. With regard to what you have just said, we all have the ability to monitor what the "Upstream Vendor" does.
And I'm sorry that you think that well-known but unpatched vulnerabilities in the software published as CentOS is OT. What the upstream vendor has said about it isn't the relevant point. What is relevant is that CentOS has shipped the vulnerabilities; a lot of other people know about them, and the CentOS users deserve to know as well, especially when the fix is hidden in the CR repo.
Riding on your hobby-horse, once again.
See KB's opening post to this thread. That sets the topic.
And I'm trying to correct it from a user's perspective. If I have a specific bug in an application or driver that affects my system, I'll know about it and seek out the fix. The ones I need to be informed about are the security vulnerabilities included but hidden in the distribution, and I especially need to know that when they are published in a way that makes a large number of other people aware that my system still has them.
On 21 July 2011 17:15, Les Mikesell lesmikesell@gmail.com wrote:
On 7/21/2011 10:57 AM, Alan Bartlett wrote:
Riding on your hobby-horse, once again.
See KB's opening post to this thread. That sets the topic.
And I'm trying to correct it from a user's perspective. If I have a specific bug in an application or driver that affects my system, I'll know about it and seek out the fix. The ones I need to be informed about are the security vulnerabilities included but hidden in the distribution, and I especially need to know that when they are published in a way that makes a large number of other people aware that my system still has them.
I'll leave it to KB to say if he requires you to correct his actions.
Alan.
On Thu, 21 Jul 2011, Alan Bartlett wrote:
On 21 July 2011 16:05, Les Mikesell lesmikesell@gmail.com wrote:
The important thing to know is when published CVE's are fixed upstream
Sorry Les but you are going OT. With regard to what you have just said, we all have the ability to monitor what the "Upstream Vendor" does.
dunno that Les' remark is that off the beam ---
Manually crafting release notices on CR stuff sounds like a low reqard task, and I'd be tempted to automated it -- parsing the --changelog for the most recent 3 entries, and slapping them in the post, so they might trivially be scanned, seems like a 'good thing' (TM)
-- Russ herrold
On Thu, 21 Jul 2011, Karanbir Singh wrote:
Opinions on what would be a good time to announce rpms that make it into the CR/ repo's ? As we build through 5.7 and 6.1, and start pushing the packages into the CR/ repo, should we also be announcing those updates ? On one hand it seems like the best time to announce it since the rpms are available - however they are only available to people who specifically opt into the CR/ process, so perhaps the best time to announce them would be when the rpms are in the os ( or updates/ ) repos in the next release.
thoughts ?
I assume the 'cr' goal is to provide early release of un-vetted (as to potential changes needed for anaconda and ISO making) updates during intersticial periods when a new point release is being turned into an installable ISO
Once the installable releases, CR seems irrelevant until the next time, as 'updates' would have content
As such the flow of announcements will be a flood, or famine
I would set up a centos-cr-announce mailing RO list, add a request to the message footer that the receiver file bugs, and just post there
Optionally it might make sense to partition this list into $MAJOR variants centos-cr-4-announce centos-cr-5-announce centos-cr-6-announce
-- Russ herrold
On Thu, Jul 21, 2011 at 12:44:09PM -0400, R P Herrold wrote:
I would set up a centos-cr-announce mailing RO list, add a request to the message footer that the receiver file bugs, and just post there
+1
This is supposed to be opt-in; keeping such announcements off the primary announce list and on a list of their own seems the right thing to do.
Optionally it might make sense to partition this list into $MAJOR variants centos-cr-4-announce centos-cr-5-announce centos-cr-6-announce
+1
John
On 2011-07-21 18:44, R P Herrold wrote:
On Thu, 21 Jul 2011, Karanbir Singh wrote:
I would set up a centos-cr-announce mailing RO list, add a request to the message footer that the receiver file bugs, and just post there
+1
Optionally it might make sense to partition this list into $MAJOR variants centos-cr-4-announce centos-cr-5-announce centos-cr-6-announce
+1
-
Alan Bartlett -
Greg Bailey -
John R. Dennison -
Karanbir Singh -
Les Mikesell -
Manuel Wolfshant -
R P Herrold -
R P Herrold -
Thomas Göttgens -
Thomas Johansson -
William Hooper